On Mon, Feb 15, 2016 at 12:55:06PM +1100, Alexey Kardashevskiy wrote: > At the moment pages used for TCE tables (in addition to pages addressed > by TCEs) are not counted in locked_vm counter so a malicious userspace > tool can call ioctl(KVM_CREATE_SPAPR_TCE) as many times as > RLIMIT_NOFILE and lock a lot of memory. > > This adds counting for pages used for TCE tables. > > This counts the number of pages required for a table plus pages for > the kvmppc_spapr_tce_table struct (TCE table descriptor) itself. > > This changes release_spapr_tce_table() to store @npages on stack to > avoid calling kvmppc_stt_npages() in the loop (tiny optimization, > probably). > > This does not change the amount of used memory. > > Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx> Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx> Alas, this may cause failures with older libvirts in certain configurations which may not have estimated enough locked memory. Newer libvirts should be taking this amount into account (even though it wasn't actually accounted as locked vm until now). Has to be done, though. -- David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson
Attachment:
signature.asc
Description: PGP signature
